From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 14 Oct 2022 18:42:13 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ojNlF-008iDO-UO for lore@lore.pengutronix.de; Fri, 14 Oct 2022 18:42:13 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1ojNlD-0006K4-9z; Fri, 14 Oct 2022 18:42:11 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ojNlA-0006F9-U8; Fri, 14 Oct 2022 18:42:08 +0200 Received: from [2a0a:edc0:0:1101:1d::28] (helo=dude02.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1ojNlA-001WTi-5s; Fri, 14 Oct 2022 18:42:08 +0200 Received: from mfe by dude02.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1ojNl8-00FzpL-Lg; Fri, 14 Oct 2022 18:42:06 +0200 From: Marco Felsch To: oss-tools@pengutronix.de Date: Fri, 14 Oct 2022 18:41:53 +0200 Message-Id: <20221014164204.3812506-4-m.felsch@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221014164204.3812506-1-m.felsch@pengutronix.de> References: <20221014164204.3812506-1-m.felsch@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [OSS-Tools] [PATCH dt-utils 03/14] state: backend_storage: deal gracefully with runtime bucket corruption X-BeenThere: oss-tools@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: Pengutronix Public Open-Source-Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mfe@pengutronix.de Sender: "OSS-Tools" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: oss-tools-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false This ports the following barebox commit | commit dc5100e6ba686fafd5570ce6d972383f047c7313 | Author: Ahmad Fatoum | Date: Thu Mar 5 08:40:31 2020 +0100 | | state: backend_storage: deal gracefully with runtime bucket corruption | | Corrupting an already selected bucket and then reading it again will | crash barebox when it attempts the refresh: | | barebox$ state -l | barebox$ mw -d /dev/eeprom0.state 0 0x42 | barebox$ state -l | ERROR: state: No meta data header found | state: Using bucket 1@0x00000040 | unable to handle NULL pointer dereference at address 0x00000000 | pc : [<4fe4f1ea>] lr : [<4fe0bcb1>] | sp : 4ffefd5c ip : 00000000 fp : 2ff68f04 | r10: 4ffefdc8 r9 : 4b434d63 r8 : 30155f50 | r7 : 00000024 r6 : 2ff68b60 r5 : 2ff68e90 r4 : 00000000 | r3 : 00000024 r2 : 00000024 r1 : 30155f50 r0 : 00000000 | Flags: Nzcv IRQs off FIQs off Mode SVC_32 | WARNING: [<4fe4f1ea>] (memcmp+0x14/0x1a) from [<4fe0bcb1>] (bucket_refresh.isra.0+0x4d/0x78) | WARNING: [<4fe0bcb1>] (bucket_refresh.isra.0+0x4d/0x78) from [<4fe0be1d>] (state_storage_read+0xd1/0x104) | WARNING: [<4fe0be1d>] (state_storage_read+0xd1/0x104) from [<4fe0a5bd>] (state_do_load+0x1d/0x78) | WARNING: [<4fe0a5bd>] (state_do_load+0x1d/0x78) from [<4fe04137>] (execute_command+0x23/0x4c) | | The memcmp called here is an optimization to skip I/O if the used bucket | and the one to be refreshed compare equal. Unfortunately, if the now | corrupt bucket was previously the used one, bucket->len will hold the | old value and we'll run into a NULL pointer dereference. | | While this is quite inconvenient, it appears it doesn't affect | correctness: after the reset, the corrupt bucket will be refreshed | as expected. | | Improve upon this by setting the length to zero when we are NULLing the | buffer. The zero length of the corrupted bucket will then compare unequal | to used_bucket->len in bucket_refresh() and ensure we will always refresh | the buffer if it becomes corrupted without an intermittent reset. | | Fixes: 238008b4bd8f ("state: Drop cache bucket") | Cc: Enrico Jörns | Signed-off-by: Ahmad Fatoum | Signed-off-by: Sascha Hauer Signed-off-by: Marco Felsch --- src/barebox-state/backend_storage.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/barebox-state/backend_storage.c b/src/barebox-state/backend_storage.c index 509427f..458f2a9 100644 --- a/src/barebox-state/backend_storage.c +++ b/src/barebox-state/backend_storage.c @@ -192,6 +192,7 @@ int state_storage_read(struct state_backend_storage *storage, /* Free buffer from the unused buckets */ free(bucket->buf); bucket->buf = NULL; + bucket->len = 0; } /* @@ -204,6 +205,7 @@ int state_storage_read(struct state_backend_storage *storage, /* buffer from the used bucket is passed to the caller, do not free */ bucket_used->buf = NULL; + bucket_used->len = 0; return 0; } -- 2.30.2